Search Mailing List Archives
[liberationtech] Forbes recommends tools for journalists
DObrien at cpj.org
Mon Dec 17 12:12:02 PST 2012
On Mon, Dec 17, 2012 at 10:49:33AM -0700, frank at journalistsecurity.net wrote:
> If anyone here has any thoughts about the tools recommended in this
> Forbes piece, please speak up. The piece gets specific with
> recommendations form Ashkan Soltani, a technologist who I do not think
> is on this list, about half way down. Again, any thoughts would be
> welcome. Thank you! Frank
The reference to Glenn's "Create your own SSL certiiate" article is
weird; what he talks about in that Ars Technica piece not a replacement
for a VPN by any means, and I think the reference would just confuse
anyone who was not technical.
I think these days you have to tie Forbes' (good) advice not to save
everything with an encouragement to use full disk encryption. We're in
an awkward space right now where we can't fully guarantee that data gets
deleted off a modern flash (SSD) drive, even with previously strong
deletion tools. And forensics software is good enough to pick up a lot
of local clues about what you've used your own computer for, even if you
think you've turned off all logs and removed the saving of sensitive
data. Minimize what you record, but also encrypt.
I'd be cautious about explicitly recommending Word's encryption as they
do -- if you save encrypted docs in 97/2000 mode, they're instantly
breakable, and there are dedicated tools out there to break later
versions. I don't know whether they exploit later weaknesses, or are
just fancy password crackers.
Usual provisos about Skype (and Silent Circle to a certain extent).
It's *really* hard to permanently recommend particular products, without
at least making the statement "Keep an eye for news that the tools you
use are vulnerable, and keep the software updated."
We really need to stop making this exclusively about the tools, and make
it more about the practices, and tools that can reinforce those
practices. This article isn't that bad at all about that -- but you want
to be able to get people to a point where they can tell themselves
whether a package looks like snake oil or not.
> TECH | 12/07/2012 @ 1:33PM |24,858 views
> Dear Journalists at Vice and Elsewhere, Here Are Some Simple Ways Not To
> Get Your Source Arrested
> You forgot to scrub the metadata, suckers.
> Computer security millionaire John McAfee’s surreal flight from
> Belizean law enforcement came to an end this week when he was detained
> (and then hospitalized) in Guatemala, as has been widely reported. A
> piece of the story that hasn’t been included in much of the reporting
> is how authorities figured out that McAfee — who was wanted for
> questioning in the shooting death of his neighbor — had fled Belize
> for Guatemala. McAfee’s location was exposed after he agreed to let
> two reporters from Vice Magazine tag along with him. Proud to finally be
> in the thick of a story rife with vices — drugs, murder, prostitutes,
> guns, vicious dogs, a fugitive millionaire and his inappropriately young
> girlfriend — they proudly posted an iPhone photo to their blog of Vice
> editor-in-chief Rocco Castoro standing with the source of the mayhem in
> front of a jungly background, saying, “We are with John McAfee right
> now, suckers.”
> With that posting, they went from chroniclers of vices to inadvertent
> narcs. They left the metadata in the photo, revealing McAfee’s exact
> location, down to latitude and longitude. McAfee tried to claim he’d
> manipulated the data — a claim that Vice photographer backed up on
> Facebook in a posting he’s since deleted — but then capitulated,
> hired a lawyer, and tried to claim asylum in Guatemala. Guatemalan
> authorities instead detained McAfee for entering the country illegally.
> All of which was dutifully reported by the Vice reporters, with no
> mention of their screw-up. Mat Honan at Wired excoriated Vice for its
> role in events:
> This was deeply stupid. People have been pointing out the dangers of
> inadvertently leaving GPS tags in cellphone pictures for years and
> years. Vice is the same publication that regularly drops in on
> revolutions and all manner of criminals. They should have known better.
> And they have the resources to do it better. Vice is a $100 million
> Then, it followed up this egregiously stupid action with a far worse
> one. Vice photographer Robert King apparently lied on his Facebook page
> and Twitter in order to protect McAfee. Like McAfee, he claimed that the
> geodata in the photo had been manipulated to conceal their true
> location. …
> But the coverup, as always, is worse than the crime. In claiming the
> geodata had been manipulated when it had not, Vice was no longer just
> documenting. Now it was actively aiding a fugitive wanted for
> questioning in the murder investigation of his neighbor Gregory Faull,
> who was shot dead at his own home.
> Via How Trusting In Vice Led To John McAfee’s Downfall – Wired.
> It was indeed deeply stupid. Journalists are professional dealers in
> information but many are terrible about protecting it. While willing to
> go to jail to protect their sources, journalists may wind up leaving
> them exposed instead through poor data practices. In a New York Times
> editorial last year, Chris Soghoian, now chief technologist at the ACLU,
> warned that “secrets aren’t safe with journalists” explaining that
> “ the safety of anonymous sources will depend not only on
> journalists’ ethics, but on their computer skills.”
> There are three very basic things journalists should be doing to shield
> their sources:
> Scrubbing metadata from photos, documents and other files.
> Resisting the desire to save copies of everything.
> Encrypting communications.
> Technologist Ashkan Soltani walked me through some simple tools for
> doing this. They’re not foolproof, but they’ll make it a little less
> likely that your blog post will wind up sending the person you’re
> profiling to jail (unless that’s your intent).
> 1. Scrubbing metadata.
> “All files — photos, Word docs, PDFs — include some kind of
> metadata: author, location created, device information,” says Soltani.
> If you leave the metadata attached, you run the risk of exposing private
> information about the person who gave you the file, or, in the case of
> Vice, the location of the person trying to keep his location under
> Before you share a Word doc with the world that a source sent you, run
> it through a scrubber. Otherwise, it may reveal where the doc was
> created, who authored it and anyone who has ever made changes to it.
> There’s Doc Scrubber for Microsoft Word.
> For PDF docs, use a tool like Metadata Assistant. Or use Adobe
> Acrobat’s “Examine Document” tool which will scan the doc for
> hidden information.
> For photos, think about turning off geotagging on your phone or digital
> camera so that the information doesn’t get included in the first
> place. You’ll usually do that in your phone’s “Location
> Settings.” Instructions here.
> You can run your photos through a metadata scrubber. Or, if you don’t
> care much about the resolution, you can just take a screenshot of the
> photo and use that metadata-free version.
> Some photo-hosting services do you the favor of scrubbing metadata.
> Facebook, Twitter and Instagram all have this privacy-protective measure
> in place.
> 2. Resisting the desire to save copies of everything.
> We live in a time when it’s easy to save everything, meaning we’ve
> all become digital hoarders. Why delete an email or chat when you can
> just archive it? It could come in handy later. Or it could come back to
> bite you later.
> “Disable chat logs in whatever program you’re using, Gmail or
> Skype,” says Soltani. In Gmail, that means switching chats to “off
> the record.” In Skype, it means turning off the feature that
> automatically saves your chats to anywhere you log in. (Added privacy
> bonus: That could keep your boss from winding up getting his hands on a
> sexy chat you had on your home computer.)
> If you need to keep a record of a chat, save it as a Word file on your
> own computer, and encrypt it.
> “Don’t keep emails around for years and years,” says Soltani.
> “Practice better data hygiene.”
> Soltani says journalists and sources might consider setting up temporary
> email accounts to communicate about a story, and then to delete the
> accounts after the story’s complete. He compares it to using a burner
> cell phone.
> 3. Encrypting your communications.
> This may be the most labor intensive of the recommendations from
> computer security professionals, but if it’s important that your
> communications with someone not be compromised, it’s worth it. This
> means your emails will appear as gibberish to anyone you don’t want
> reading them. Had David Petraeus and Paula Broadwell encrypted their
> emails to one another rather than saving them in a drafts folder, their
> exposing themselves to each other wouldn’t have been exposed to the
> world. “This allows you to communicate securely and protects your
> messages if your account is compromised,” says Soltani.
> For chat, consider using Adium’s OTR.
> Use a Virtual Private Network or create your own SSL.
> Take 30 minutes (more or less, depending on your savvy level) to set up
> SMime or PGP for Gmail so that the emails you send from whichever
> provider you use are encrypted. The only limitation here: you need to
> get the person you’re communicating with to enable encryption as well.
> Rather than calling someone from your landline or cell phone, use Skype
> or Silent Circle.
> A journalist’s job is to bring information to light. Using these
> tools, you’ll retain some control over which information gets lit.
> 10 Incredibly Simple Things You Can Do To Protect Your Privacy
> Password Protect Your Devices
> Choosing not to password protect your devices is the digital equivalent
> of leaving your home or car unlocked. If you're lucky, no one will take
> advantage of the access. Or maybe the contents will be ravaged and your
> favorite speakers and/or secrets stolen.
> Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
More information about the liberationtech